473,324 Members | 2,456 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,324 software developers and data experts.

How secure is the security from my security form?

Hey, I have a question about how secure the following will be....

I want to have a login form that posts to itself, so when it loads it checks
if there is a username and password on the query list.

If there is not, it asks for one.

If there is, it checks to see if the information is valid.

If it is not valid, it deletes the attributes and calls itself again.

If it is valid it sets a particular session variable to be some value and
redirects to the next page.

Every page from there on in will check to see if the session variable is set
and if not will redirect back to the login page.

Are there any security risks/holes that I should know about?

Thanks in advance,
Aaron

PS I do have access to Tomcat, but have been unable to figure out how to set
it up (this is my first time setting up security for a site) - so if anyone
has any tips/links that information would be most appreciated. Thanks
again.
Jul 17 '05 #1
3 2096
Aaron,

The most important security issue involved here is the submission of the
login-parameters. If it is a plain HTTP form the data can easily be
intercepted and the login-parameters can be extracted.

There are several ways to prevent this. One would be to use HTTPS instead of
HTTP for submitting the form. This has the disadvantage that you need an
(expensive) certificate.
Another solution is to do the following. When you generate the login-form on
the server-side generate some random key with it. On the page, put some
JavaScript that will hash-encode the entered username/password using the
random key in the hash algorithm. Make sure you use a destructive hash
function with sufficient spreading. Do not post the username/password but
submit the username/hashresult. Since on the server you know the random key
and the hashfunction and the users password you can recalculate the
hashvalue from that data. If the hashvalues match you allow the logon
attempt, otherwise you reject it. This way if someone captures the posted
data he can not use it to attempt a successive logon since the random-key
that was used is no longer valid on the server.

It is not as secure as HTTPS would be but it comes close enough for most
situations. Using a good hash function and random-generator can make it a
pretty secure mathod.

Regards,

Silvio Bierman


Jul 17 '05 #2
Thanks for the info.

https may work then, the only people that are going to be using this are
employees, so we can just ignore the warning (but that does not look very
professional).

I am still going to try to figure out how to configure Tomcat, as I believe
this is the most secure way - but I have tried to sort through "The Apache
Jakarta Project: The Tomcat 4 Servlet JSP Container" @
http://jakarta.apache.org, but have not been able to make it work yet.

If you know of any good books or links that explain this process step by
step, the info would be most appreciated.

Thanks again
Aaron.

"Silvio Bierman" <sb******@idfix.nl> wrote in message
news:3f***********************@news.xs4all.nl...
Aaron,

The most important security issue involved here is the submission of the
login-parameters. If it is a plain HTTP form the data can easily be
intercepted and the login-parameters can be extracted.

There are several ways to prevent this. One would be to use HTTPS instead of HTTP for submitting the form. This has the disadvantage that you need an
(expensive) certificate.
Another solution is to do the following. When you generate the login-form on the server-side generate some random key with it. On the page, put some
JavaScript that will hash-encode the entered username/password using the
random key in the hash algorithm. Make sure you use a destructive hash
function with sufficient spreading. Do not post the username/password but
submit the username/hashresult. Since on the server you know the random key and the hashfunction and the users password you can recalculate the
hashvalue from that data. If the hashvalues match you allow the logon
attempt, otherwise you reject it. This way if someone captures the posted
data he can not use it to attempt a successive logon since the random-key
that was used is no longer valid on the server.

It is not as secure as HTTPS would be but it comes close enough for most
situations. Using a good hash function and random-generator can make it a
pretty secure mathod.

Regards,

Silvio Bierman

Jul 17 '05 #3
Which warning are you referring to? The warning about "unknown certificate
authority?" DO NOT tell people to ignore this warning. It might be benign
in your case, but knowing how most employees think, they would ignore it
for all other sites that may not be benign.

Instead, there are two other options. First, you can actually get a
certificate from Verisign or Thawte. Done.

Or you can self-sign the certificate (which of course is quite a bit
cheaper), and then go around to all machines in your company and install
the certificate (usually, it is fairly easy to do: visit one of the
HTTPS-protected Web sites, and then the warning message should give you
the option to install the certificate).

On Mon, 28 Jul 2003 18:57:46 +0000, Aaron wrote:
Thanks for the info.

https may work then, the only people that are going to be using this are
employees, so we can just ignore the warning (but that does not look
very professional).

I am still going to try to figure out how to configure Tomcat, as I
believe this is the most secure way - but I have tried to sort through
"The Apache Jakarta Project: The Tomcat 4 Servlet JSP Container" @
http://jakarta.apache.org, but have not been able to make it work yet.

If you know of any good books or links that explain this process step by
step, the info would be most appreciated.

Thanks again
Aaron.

"Silvio Bierman" <sb******@idfix.nl> wrote in message
news:3f***********************@news.xs4all.nl...
Aaron,

The most important security issue involved here is the submission of
the login-parameters. If it is a plain HTTP form the data can easily be
intercepted and the login-parameters can be extracted.

There are several ways to prevent this. One would be to use HTTPS
instead

of
HTTP for submitting the form. This has the disadvantage that you need
an (expensive) certificate.
Another solution is to do the following. When you generate the
login-form

on
the server-side generate some random key with it. On the page, put some
JavaScript that will hash-encode the entered username/password using
the random key in the hash algorithm. Make sure you use a destructive
hash function with sufficient spreading. Do not post the
username/password but submit the username/hashresult. Since on the
server you know the random

key
and the hashfunction and the users password you can recalculate the
hashvalue from that data. If the hashvalues match you allow the logon
attempt, otherwise you reject it. This way if someone captures the
posted data he can not use it to attempt a successive logon since the
random-key that was used is no longer valid on the server.

It is not as secure as HTTPS would be but it comes close enough for
most situations. Using a good hash function and random-generator can
make it a pretty secure mathod.

Regards,

Silvio Bierman


--
Keep American Families united! Support H.R. 539 and H.R. 832
For more information, see http://www.kkeane.com/lobbyspousal-faq.shtml

Jul 17 '05 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
by: Steve Jenkins | last post by:
Hi, Wonder if anyone can help. I have a client who would like to have a form-to-mail on their website, but, are concerned about the security of emails sent by such a form. In the passed I...
6
by: Sarah Tanembaum | last post by:
I was wondering if it is possible to create a secure database system using RDBMS(MySQL, Oracle, SQL*Server, PostgreSQL etc) and web scripting/programming language(Perl, PHP, Ruby, Java, ASP, etc)...
6
by: Billy Jacobs | last post by:
I have a website which has both secure and non-secure pages. I want to uses forms authentication. How do I accomplish this? Originally I had my web.config file in the root with Forms...
0
by: Stephen Bartholomew | last post by:
Hi All, I have an ecommerce site that resides mainly on an unsecure server for browsing the catalogue and only passes the user to a secure area when its time checkout. The secure domain however...
8
by: peter | last post by:
I have taken over the website duties at work. I am still learning PHP and MySQL. I want to have a form where the user enters some finacial info and it is stored in a database. It, obviously,...
2
by: Jason Smith | last post by:
I have recently designed an application in Ms Access with the folllowing security: 1) Database is split into a front-end / backend with linked tables 2) All modules are password protected 3)...
3
by: Matt Sollars | last post by:
I've struggled with this problem, and it's lack of examples, for a couple of months now. On several different web applications that we have written, we need to communicate with a credit card...
5
by: A.M | last post by:
Hi, My ASP.NET application uses SSL on IIS6. up on visiting some pages, IE 6 shows this security alert: This page contains both secure and non secure items. Do you want to display non-secure...
3
by: Bill | last post by:
I'm running a C#.Net application that is using the HttpWebRequest to upload an xml file to a https site with FIPS complicancy turned on. On the "GetRequestStream()" method I get: "The underlying...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.